Looking for Leadership on Internet Privacy

In October 2011, Twitter user and Occupy Wall Street activist Malcolm Harris was charged with a petty crime while attending an Occupy protest on the Brooklyn Bridge. Despite the minor nature of the alleged infraction—the maximum punishment at stake was a fine of $250 or 15 days in jail—the prosecution demanded that Twitter provide information regarding Harris’ contacts, tweets, and locations derived from IP address logs.

Harris challenged the subpoena and soon earned the support of Twitter, which argued that the police had no right to demand private information about its users. Advocacy groups like the Electronic Frontier Foundation (EFF), the ACLU, and Public Citizen also stepped in to help. But when the city of New York threatened to hold Twitter in contempt of court, the company caved, turning over the warrantlessly subpoenaed data.

So who has access to the information we share online, and how is it protected? These questions concern what the U.S. Federal Trade Commission calls “fair information practices,” or FIPs.

Astonishingly, according to the Electronic Privacy Information Center, “There is no single federal minimum standard for data protection that enforces fair information practices.” Indeed, the Electronic Communications Privacy Act (ECPA)—which “allows law enforcement authorities to request all data or e-mail without the need for a warrant,” according to author and activist Rebecca MacKinnon—has not been updated since 1986, well before the Internet age.

As illustrated by the Harris case, the companies and governments that control these digital networks—which MacKinnon calls the “digital sovereigns”—have a significant impact on how we as individuals relate to government, business, and society. In her book Consent of the Networked, MacKinnon explains that these entities “control who knows what about our identities under what circumstances; our access to information; our ability to transmit and share information publicly and privately; and even whom and what we can know.”

Therefore, the regulation of information-sharing platforms like Facebook, Google Plus, and Twitter—as well as policy regarding digital privacy and information retention at large—will have major ramifications for global democratic processes and should not be taken lightly.

A Privacy Bill of Rights?

To address concerns about abuse of individuals’ private data, the Obama administration has proffered a Consumer Privacy Bill of Rights, a nonbinding document the administration wants to use as the foundation for federal legislation or regulatory action based on seven broad principals. These include individual control of personal data, transparency, and respect for the context in which data is collected, as well as security, accuracy, and accountability by data collectors.

Daniel Weitzner, an officer in charge of Internet guidelines at the White House Office of Science and Technology Policy, described the Consumer Privacy Policy Bill of Rights as a two-step process. The first step, he said, is to use the multi-stakeholder approach to establish “enforceable codes of conduct” that are consistent with international commitments for global interoperability. The second step would be for Congress to recognize the framework as statute. In this way, the regulations would be flexible enough to allow individual businesses to fine-tune broader principles to best suit their needs.

It’s not just law enforcement agencies and private companies that want to pry away this information—the Obama campaign team itself is an avid collector of user information. In an op-ed for Politico, Dave Levinthal stridently criticized Obama’s so-called privacy policy, calling it hypocritical in light of the Obama campaign’s heavy reliance on information collection. Levinthal points out that the Obama campaign has built a centralized digital database at its Chicago headquarters that contains information about millions of desired voters, and the campaign’s website collects scads of data regarding users’ identification, location, and mobile devices. Jeff Chester, executive director for the Center for Digital Democracy in Washington, D.C., has urged Obama to confront the rhetorical incongruence between “timeless privacy values” and the use of “contemporary digital tools to operate a stunning commercial surveillance system.” Chester fumes, “The idea that the Obama campaign can create a political dossier on you that they can act upon without asking permission first is outrageous.”

Yet according to Brad Smith, chairman of the pro-free speech Center for Competitive Politics and a former Federal Election Commission chairman, in an increasingly networked world with “people volunteering more and more about themselves in online realms” and “political entities armed with increasingly sophisticated message targeting tools,” it is simply impossible to maintain “the same expectation of privacy as you once did.”

Increased transparency, citizen access to government, and access to candidate information are all positives for democracy heralded by the Internet age. But it turns out that the powers that be have enhanced their own information collection capacities all the more so.

The policy world is still scrambling for answers. In response to law enforcement’s harassment of data companies, a handful of tech companies and advocacy groups founded the coalition Digital Due Process (DDP). The DDP coalition includes large international companies like Google, Facebook, Microsoft, and AT&T, as well as civil liberties groups who lobby Congress for an update of the outdated ECPA. Their main goal is to require the government to possess a valid warrant based on probable cause before seizing personal information. This is exactly what Twitter was challenging in the Harris case, which illustrated the utter inadequacy of the existing legal framework for privacy protection.

Leadership from Europe

Many industrialized countries lack government controls on the length of time a business can retain your Internet traffic data, but Europe has seen some movement toward increasing consumer protections.

In 2009, the European Commission began reviewing the data protection policies it had in place at the time. In 2010, a draft strategy including proposals to change the EU Data Protection Directive was circulated. The key goals were to strengthen the rights of individuals, enhance the free flow of information, extend privacy safeguards to police and criminal justice records, provide high levels of protection for data transfers outside of the EU, and provide for better enforcement of privacy regulations.

Proposals included EU-wide registration forms for databases; new rules on privacy notices; requirements to seek consumers’ consent to collect, use, and transfer data; the right to be forgotten; and many others, including punitive measures for violators. In December 2011, the draft version of the EU General Data Protection Regulation was finally released. According to EPIC, “The EU Data Protection Directive contains strengthened protections concerning the use of sensitive personal data relating, for example, to health, sex life or religious or philosophical beliefs” and for these reasons they fully support its implementation. The EFF is also a supporter of the EU Data Protection Directive.

However, not all EU countries are moving in such a progressive direction.

The United Kingdom’s Draft Communications Data Bill—or Snooper’s Charter—is raising concerns among privacy advocates because, according to EFF, it will require “the generation of data specifically and only for law enforcement access.” The Global Network Initiative (GNI) has criticized the bill because it says the data to be generated is not generally collected for business or ISP use, and the new rules would affect anyone in the UK who uses communication services. The GNI warns that this bill will expand already oppressive regulations like the Regulatory and Investigatory Powers Act (RIPA) and the EU Data Retention Directive.

Hopelessly Antiquated

Outside the UK, growing pro-privacy agitation in EU countries like Germany, Austria, and Sweden may signal a shift toward European leadership in democratic Internet policymaking—which would be fitting, given that the U.S. laws governing Internet privacy were written before the Internet was even available to the public!

Brad Smith was correct in noting that people are willingly sharing more and more about themselves. However, does this mean, as he suggests, that we must change our ideas about what our right to privacy means? Did the constitutional definition somehow change with the invention of social media?

U.S. privacy policies are devastatingly antiquated, and every time policymakers try to update them, they get sidelined by political benefactors in the industry. New policies will only be useful if they take into account the ramifications they will have on domestic and global democracy.